Breaking Change!

These TYPO3 versions introduce a new configuration option:

PHP

1

$GLOBALS['TYPO3_CONF_VARS']['SYS']['trustedHostsPattern']

If you ran into the error message „current host header does not match trusted hosts pattern“ after the update to the above mentioned TYPO3 versions please make sure to set the trustedHostsPattern as described in the Security Bulletin TYPO3-CORE-SA-2014-001.

Arbitrary code execution in extension „powermail“ (powermail)

The extension powermail offers the possibility to upload files. It was discovered that it was possible to upload files with specially crafted file extensions, which could be executed as PHP files on the server when using Apache as web server with mod_mime available (default). Uploading files in powermail is possible without finally submitting the form, so a malicious file could be uploaded without further discovery. Failing to check the uploaded file name against the fileDenyPattern pattern, powermail is susceptible to arbitrary code execution. This is a critical issue!